Fredy Wijaya has uploaded a new patch set (#17). ( http://gerrit.cloudera.org:8080/12632 )
Change subject: IMPALA-8100: Add initial support for Ranger ...................................................................... IMPALA-8100: Add initial support for Ranger This patch adds an initial support for Ranger that can be enabled via the following flags in both impalad and catalogd to do enforcement. - ranger_service_type=hive - ranger_app_id=some_app_id - authorization_factory_class=\ org.apache.impala.authorization.ranger.RangerAuthorizationFactory The Ranger plugin for Impala uses Hive service definition to allow sharing Ranger policies between Hive and Impala. Temporarily the REFRESH privilege uses "read" access type and it will be updated in the later patch once Ranger supports "refresh" access type. There's a change in DESCRIBE <table> privilege requirement to use ANY privilege instead of VIEW_METADATA privilege as the first-level check to play nicely with Ranger. This is not a security risk since the column-level filtering logic after the first-level check will use VIEW_METADATA privilege to filter out unauthorized column access. In other words, DESCRIBE <table> may return an empty result instead of an authorization error as long as there exists any privilege in the given table. This patch updates AuthorizationStmtTest with a parameterized test that runs the tests against Sentry and Ranger. Testing: - Updated AuthorizationStmtTest with Ranger - Ran all FE tests - Ran all E2E authorization tests Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276 --- M be/src/service/frontend.cc M be/src/util/backend-gflag-util.cc M bin/rat_exclude_files.txt M common/thrift/BackendGflags.thrift M fe/pom.xml M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationPolicy.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationProvider.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/NoneAuthorizationFactory.java M fe/src/main/java/org/apache/impala/authorization/Privilege.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationConfig.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationFactory.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationFactory.java M fe/src/main/java/org/apache/impala/service/BackendConfig.java M fe/src/main/java/org/apache/impala/service/Frontend.java M fe/src/test/java/org/apache/impala/analysis/AnalyzerTest.java M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/sentry/SentryProxyTest.java M fe/src/test/java/org/apache/impala/common/FrontendFixture.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java M fe/src/test/java/org/apache/impala/testutil/ImpaladTestCatalog.java A fe/src/test/resources/ranger-hive-audit.xml A fe/src/test/resources/ranger-hive-security.xml M impala-parent/pom.xml M testdata/bin/create-load-data.sh M testdata/cluster/.gitignore A testdata/cluster/ranger/setup/impala_service.json A testdata/cluster/ranger/setup/impala_user.json.template 38 files changed, 1,131 insertions(+), 237 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/32/12632/17 -- To view, visit http://gerrit.cloudera.org:8080/12632 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276 Gerrit-Change-Number: 12632 Gerrit-PatchSet: 17 Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com> Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com> Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Paul Rogers <prog...@cloudera.com> Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org>